I am running traefik 3.3.4 in docker on a raspberry pi, and pihole for local DNS on the same pi.
It is serving up the services on the same docker network no problem.
When I try to setup a redirect on services located on a different network to the traefik proxy network, like the host network for homeassistant, all I get is it resolving to a website with a giant favicon of the service (in this case homeassistant).
I have and specified the routers, and services for homeassistant in traefik config.yml file for this to resolve, and the pages do have a valid cloudflare certificate from traefik but I can't access the service.
This is my config file (based on Jims garage template)
http:
middlewares:
default-security-headers:
headers:
customBrowserXSSValue: 0 # X-XSS-Protection=1; mode=block
contentTypeNosniff: true # X-Content-Type-Options=nosniff
forceSTSHeader: true # Add the Strict-Transport-Security header even when the connection is HTTP
frameDeny: false # X-Frame-Options=deny
referrerPolicy: "strict-origin-when-cross-origin"
stsIncludeSubdomains: true # Add includeSubdomains to the Strict-Transport-Security header
stsPreload: true # Add preload flag appended to the Strict-Transport-Security header
stsSeconds: 3153600 # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
contentSecurityPolicy: "default-src 'self'"
customRequestHeaders:
X-Forwarded-Proto: https
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
routers:
homeassistant:
entryPoints:
- "https"
rule: "Host(`homeassistant.xxxxxxxredacted`)"
middlewares:
- default-security-headers
- https-redirectscheme
tls: {}
service: homeassistant
ollama:
entryPoints:
- "https"
rule: "Host(`ollama.paulmelloy.com.au`)"
middlewares:
- default-security-headers
- https-redirectscheme
tls: {}
service: ollama
services:
homeassistant:
loadBalancer:
servers:
- url: "http://xxxxxxxredacted:8123"
passHostHeader: true
ollama:
loadBalancer:
servers:
- url: "http://xxxxxxxredacted:3000"
passHostHeader: true
Share your full Traefik static and dynamic config, and Docker compose file if used.
Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc). What is shown during startup and during failing requests?
You can simplify your dynamic config, place redirect and TLS globally on entrypoint in static config, that’s also possible for headers. Check simple Traefik example.
Files below, I can't see any errors in the traefik.log or the access.log
access.log
192.168.1.XXX - - [21/Mar/2025:08:23:27 +0000] "GET / HTTP/2.0" 200 2343 "-" "-" 31 "homeassistant@file" "http://192.168.1.XXX:8123" 2ms
192.168.1.XXX - - [21/Mar/2025:08:23:27 +0000] "GET /manifest.json HTTP/2.0" 200 484 "-" "-" 32 "homeassistant@file" "http://192.168.1.XXX:8123" 2ms
192.168.1.XXX - - [21/Mar/2025:08:23:29 +0000] "GET /sw-modern.js HTTP/2.0" 304 0 "-" "-" 33 "homeassistant@file" "http://192.168.1.XXX:8123" 1ms
traefik.yaml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entrypoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yaml # example provided gives A+ rating https://www.ssllabs.com/ssltest/
certificatesResolvers:
cloudflare:
acme:
caServer: https://acme-v02.api.letsencrypt.org/directory # production (default)
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging (testing)
email: *******l@gmail.com
storage: acme.json
dnsChallenge:
provider: cloudflare # change as required
delayBeforeCheck: 60s
#disablePropagationCheck: true # Some people using Cloudflare note this can solve DNS propagation issues.
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log" # perhaps turn off in the future
accessLog:
filePath: "/var/log/traefik/access.log"
docker-compose.yaml
secrets:
cf-token:
file: ./cf-api-token
services:
traefik:
image: traefik:latest # traefik:v3.3
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true # helps to increase security
secrets:
- cf-api-token # the secret at the top of this file
env_file:
- .env
networks:
proxy:
ports:
- 80:80
- 443:443
environment:
- TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
- CF_API_EMAIL=****@.gmail.com
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf-api-token
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/paul/containers/traefik/config/traefik.yaml:/traefik.yaml:ro
- /home/paul/containers/traefik/config/acme.json:/acme.json,
- /home/paul/containers/traefik/config/config.yaml:/config.yaml:ro
- /home/paul/containers/traefik/logs:/var/log/traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.*********.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.*********.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=*********.com"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.*********.com"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true